Recent investigations have unveiled a critical vulnerability linked to the CONTINUATION frame in the HTTP/2 protocol, which can be weaponized for denial-of-service (DoS) attacks. The technique, dubbed HTTP/2 CONTINUATION Flood, was reported by security researcher Bartek Nowotarski to the CERT Coordination Center (CERT/CC) on January 25, 2024.
CERT/CC issued an advisory on April 3, 2024, indicating that many implementations of HTTP/2 fail to impose adequate limits on the CONTINUATION frames transmitted within a single stream. This oversight can allow attackers to send numerous CONTINUATION frames that may not be appended to the header list in system memory but are still processed by the server. As a result, this can lead to significant out-of-memory (OOM) failures.
Similar to HTTP/1, the HTTP/2 protocol utilizes header fields for communications within requests and responses. These header fields can be organized into header lists, which are serialized into header blocks. According to RFC 7540 documentation, these header blocks are divided into fragments and transmitted using HEADERS or CONTINUATION frames, facilitating the communication process.
The CONTINUATION frame, identified as type 0x9 in RFC 7540, allows a sequence of header block fragments to continue across multiple frames. This design permits the sending of an unlimited number of CONTINUATION frames on the condition that the preceding frame belongs to the same stream and is either a HEADERS, PUSH_PROMISE, or CONTINUATION frame without the END_HEADERS flag set.
Nowotarski emphasizes that the CONTINUATION Flood vulnerability represents a significant threat in various HTTP/2 implementation scenarios, far more severe than previously identified vulnerabilities such as the Rapid Reset attack discovered in October 2023. A single machine, in some cases even just one TCP connection, could disrupt server availability through cascading effects, including crashes and drastic performance drops. Moreover, the requests executed during such attacks remain invisible in HTTP access logs, complicating detection efforts.
The underlying issue stems from improper management of HEADERS and multiple CONTINUATION frames, which can lead to a DoS scenario. An attacker could exploit a vulnerable HTTP/2 implementation to initiate a new stream and dispatch HEADERS and CONTINUATION frames without the END_HEADERS flag, creating an endless influx of headers that the HTTP/2 server struggles to process and store in memory.
This vulnerability’s consequences can manifest differently based on the specific implementation, with potential impacts ranging from immediate crashes after transmitting a few frames to more severe outcomes such as CPU exhaustion, jeopardizing server availability. RFC 9113 also mentions various security risks stemming from the mishandling of CONTINUATION frames.
Various projects are affected, including amphp/http, Apache HTTP Server, Apache Tomcat, and Envoy proxy, among others. Users are strongly advised to promptly update any vulnerable software to the latest versions to mitigate the associated risks. In the interim, disabling HTTP/2 on servers may serve as a temporary safeguard against exploitation.
